ClawHub
Back to skill

Security audit

Estj Coach

Security checks across malware telemetry and agentic risk

Overview

This is a markdown-only coaching skill, but it has inconsistent ESTJ/INTP content and tells the agent to retain personal coaching details without clear user controls.

Review before installing. This does not look like malware, but users should treat it as a coaching skill that may remember sensitive personal details; only install it if you can control or avoid persistent memory, and be aware that ESTJ users may receive INTP-oriented advice because the packaged content is inconsistent.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (18)

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The README describes an INTP-focused coaching skill while the manifest says the skill is for ESTJ users. This mismatch can cause the agent to activate with the wrong behavioral framing, deliver inappropriate personality-specific guidance, and bypass user/operator expectations about what the installed skill actually does. In a coaching context, incorrect scoping is especially risky because users may rely on advice tailored to the wrong profile.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The documented behavior, examples, and coaching logic target INTP growth scenarios rather than the declared ESTJ use case. This is a real integrity and safety issue because downstream systems or users may select the skill expecting ESTJ-specific support, but receive materially different prompts, heuristics, and recommendations. For personality-guided coaching, this context mismatch increases the chance of harmful or misleading advice.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The manifest metadata materially conflicts with the stated purpose of the skill: the skill is presented as ESTJ coaching, but the description, keywords, and tags point to an INTP-focused coaching artifact. This kind of identity mismatch can mislead users, downstream tooling, and reviewers about what content is actually being loaded, which increases the risk of deceptive packaging or accidental misuse.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The repository URL appears unrelated to the declared ESTJ coaching skill, which undermines provenance and makes it harder to audit the source, history, and ownership of the package. An unrelated repository can conceal substituted content, frustrate trust verification, or indicate that the package metadata was copied from another project without proper review.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The reference content labeled for an ESTJ coaching skill describes cognitive functions, weaknesses, and behavioral patterns that do not match ESTJ and instead appear copied from another personality type. In a coaching skill, this can systematically misguide responses, causing users to receive inaccurate psychological advice tailored to the wrong profile, which is a substantive integrity and safety issue even if not a classic code-execution flaw.

Intent-Code Divergence

Low
Confidence
95% confidence
Finding
The embedded document metadata states the file belongs to a different coach context (`intp-coach`), contradicting the current ESTJ skill. This increases the likelihood that the wrong background knowledge was copied into the skill and can propagate incorrect internal prompting, reducing reliability and potentially amplifying harmful misguidance.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The reference file is clearly for INTP coaching while the skill manifest claims the skill is for ESTJ coaching. This mismatch can cause the agent to deliver systematically wrong personality-specific guidance, undermining user trust and potentially causing harmful advice in sensitive self-improvement or leadership contexts. The skill context makes this more dangerous because the entire purpose depends on tailoring guidance to the correct MBTI type.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The documentation explicitly labels the content as 'INTP Coach' reference material, directly contradicting the ESTJ-oriented skill intent. This is strong evidence of configuration or content integrity failure, increasing the likelihood that the agent will present irrelevant or misleading coaching recommendations to the wrong audience. In a coaching skill, such contradiction is especially risky because users may rely on the advice for interpersonal, emotional, or workplace decisions.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The README says mode selection is 'automatic' and that some behaviors are 'automatically executed' without defining explicit triggers, boundaries, or user confirmation. Ambiguous activation criteria can lead to the skill acting unexpectedly, switching from reflective coaching to directive advising without consent, or performing stateful actions users did not realize they initiated. In agent systems, unclear trigger semantics are a genuine safety problem.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill claims it will save conversations and action records for future continuation, but it does not clearly disclose what data is stored, where it is stored, how long it is retained, or whether the user can opt out. Because coaching conversations may contain sensitive personal or psychological information, silent persistence materially increases privacy and data-handling risk. The coaching context makes this more dangerous than generic note-taking because users are likely to share intimate details.

Vague Triggers

Medium
Confidence
81% confidence
Finding
Broad emotional prompts such as generic distress can cause the skill to activate during ordinary conversation, leading to unintended collection of sensitive personal context and steering users into a specialized coaching flow they did not explicitly request. In a coaching skill that discusses mood, growth problems, and personal struggles, overbroad activation increases privacy and safety risk because sensitive disclosures may be elicited without clear user intent.

Vague Triggers

Medium
Confidence
86% confidence
Finding
Using vague statements like '心情不好', '有点烦', or '感觉很累' as trigger examples risks accidental invocation in routine chat, causing the agent to engage in a semi-therapeutic workflow and ask probing follow-up questions. Because this skill is designed to explore emotional and personal-development issues, ambiguous activation can result in unnecessary sensitive-data collection and user confusion about why a specialized profile-driven coach has taken over.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill instructs persistent saving of dialogue, action history, and insights to a user profile without a clear user-facing notice or consent mechanism. This is dangerous because the stored data can include sensitive emotional state, goals, behavioral patterns, and inferred traits, creating privacy and retention risk if users did not knowingly agree to such storage.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Repeated instructions to record and archive personal information amplify the privacy risk because they normalize storing sensitive user details across multiple stages of the interaction without transparency. In a coaching context, these records may reveal intimate struggles, goals, and execution patterns that users reasonably expect to remain ephemeral unless explicitly told otherwise.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The end-of-conversation archive flow directs storage of user problems, insights, plans, and outcomes without notifying the user that these details may persist after the chat ends. This is dangerous because users may interpret a closing coaching message as ephemeral support while the system silently retains a structured dossier of personal development and emotional information.

Ssd 3

Medium
Confidence
97% confidence
Finding
Natural-language instructions to retain and reuse user-provided details in a persistent profile create a data-governance vulnerability when no consent, minimization, or lifecycle controls are defined. The danger is heightened here because the profile can accumulate inferred psychological and behavioral information over time, increasing the sensitivity of the stored record.

Ssd 3

Medium
Confidence
96% confidence
Finding
Logging user problems, interests, actions, and insights into a future-recall dossier can produce a detailed personal profile that exceeds user expectations for a coaching chat. Such structured memory can be misused, leaked, or repurposed for profiling if not tightly governed, especially when it contains emotional, motivational, and behavioral data.

Ssd 3

Medium
Confidence
98% confidence
Finding
The directed archival of user problem, insight, plan, and execution results at conversation end establishes persistent profiling without any apparent transparency or user control. This is dangerous because a longitudinal record of personal struggles and follow-through can reveal highly sensitive traits and patterns far beyond what is necessary for a single interaction.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal